Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp404444iob; Wed, 11 May 2022 17:40:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwggSrjy2g2wCsASZLiKuIEzG/A6O6OTyja0N9n6deHVb+CtmZK8vZhx/lXtWIQyANVQtgd X-Received: by 2002:a17:907:9815:b0:6f9:f5c6:ab01 with SMTP id ji21-20020a170907981500b006f9f5c6ab01mr18311107ejc.163.1652316039500; Wed, 11 May 2022 17:40:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652316039; cv=none; d=google.com; s=arc-20160816; b=Kagf3Ky0KqgSEnFtCS7grC9F4sETLp57C1ncTbsoUlWt86OofiQQoIDUQgpq387JGJ dZhuSDVtGYCEGuPTBgO8bqYA85wVj59Rn3NZJCuUpa8ki2oX14oWDP+ZHxMpZrhTZ8ZJ K9Xys7E4U6ijKR7YMLyssRcTXfzM+YPom50miFeJIw2RMcg3xCZDnUmKqBYOEy8Mr6mw XZ3mCiXEA5FztlnUfVUu/ERq1ZnivuionKl6t6H3n98Oh2iDrs16KEFDWssoIAhoVwSs z5sKgZ760bNFkwp3F8CEdPkdxI9+Osj8ap1/eJOL4r21mh4woYYLePfPCMctcAVuoVE+ W4LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=fT/z3qhp7SAEl0nPr3X5eo524/cXJTwzkKDl39OSAeA=; b=MMamZ/gBUT0EDs6FEXhHi//Dc/7eeNmj1LErUwFhcaDv8hCxD1Njn/6VpCMeZ4Pgst HiifHqI+4yx07Xon3xjZ5vtlx/L98FJUBQW/lcfSf4fSTMUuCLARdRYfz65Yo0dk+LIM 49On+KU844pMrHOgZOeKcXZuNJni+Q5qSbR6/lebKeQIz4dSeNFCvXSrQmVAhssMtN// ftMhhAmF1xd9QLJSujXOsBCnlBRy04pBgYbRMrjqYuieUNyTlXRYdUArx9boYHsOyldx +LkOajRgYqSeK5WggRoQnQ/9pqsRDx8FE7/wPZxNfdUMzQ/UYIZlWZgCw1+0wofJh5Sn A/4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uFfdNix2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s13-20020a056402520d00b00427d23cac59si4808228edd.280.2022.05.11.17.40.12; Wed, 11 May 2022 17:40:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uFfdNix2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241724AbiEKM5g (ORCPT + 99 others); Wed, 11 May 2022 08:57:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229594AbiEKM5e (ORCPT ); Wed, 11 May 2022 08:57:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64960E15C8 for ; Wed, 11 May 2022 05:57:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CA27361B80 for ; Wed, 11 May 2022 12:57:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D295C3410F; Wed, 11 May 2022 12:57:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1652273852; bh=uxHPMBN5yQXxmfO/0nUY2+0k1/gbgLaj1MLiANVXd8U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uFfdNix2hKtskXkXJMYEIhDw3mSEaepicBeEmRbu5MsTITaaxjCJNzsD9utlbWv2m PuLKddftGVdxA2ZaeJzDTXxtfTM5QvwhTWfR84bapyXEPxORQ23KJc/SFX+Q4TbD3h PG6rsmgjjWa4aEs6/J5fad0bK6S2KrV3D4vZxnxY= Date: Wed, 11 May 2022 14:57:28 +0200 From: Greg KH To: Schspa Shi Cc: rafael@kernel.org, ming.lei@canonical.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH] driver: base: fix UAF when driver_attach failed Message-ID: References: <20220511124336.66705-1-schspa@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220511124336.66705-1-schspa@gmail.com> X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 11, 2022 at 08:43:36PM +0800, Schspa Shi wrote: > When driver_attach(drv); failed, the driver_private will be freed. > But it has been added to the bus, which caused a UAF. > > To fix it, we need to delete it from the bus when failed. > > Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") > > Signed-off-by: Schspa Shi No blank line needed after fixes: > --- > drivers/base/bus.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/base/bus.c b/drivers/base/bus.c > index 97936ec49bde..7ca47e5b3c1f 100644 > --- a/drivers/base/bus.c > +++ b/drivers/base/bus.c > @@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv) > if (drv->bus->p->drivers_autoprobe) { > error = driver_attach(drv); > if (error) > - goto out_unregister; > + goto out_del_list; > } > module_add_driver(drv->owner, drv); > > @@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv) > > return 0; > > +out_del_list: > + klist_del(&priv->knode_bus); Odd, how did you find this? Has this ever been triggered by any real-world situations? thanks, greg k-h